A Windows asterisk password viewer built in pure Go. Reveals passwords hidden behind asterisks/bullets in Windows application password fields (e.g., Xshell, mstsc, etc.).
Uses a crosshair drag-to-target UI pattern (similar to Spy++/BulletsPassView): drag the crosshair icon onto any password input field to reveal its content.
- Crosshair drag-to-target — drag the crosshair onto any password field to reveal it
- 32-bit and 64-bit process support — automatically detects target process architecture and injects appropriate shellcode
- Multiple extraction methods — shellcode injection (primary), EM_GETLINE, style removal, password char reset
- Pure Go — no CGo, no GUI frameworks, raw Win32 API via
golang.org/x/sys/windows - Non-blocking UI — async extraction via goroutines + PostMessage
- Press and hold the crosshair icon in the window
- Drag it over any password input field in another application
- Release the mouse button — the password is revealed
For password-protected edit controls, the tool injects a small shellcode stub into the target process that calls SendMessageW(hwnd, WM_GETTEXT, ...) from inside the target, bypassing the cross-process password protection introduced in Windows XP SP2.
The tool detects whether the target process is 32-bit (WoW64) or 64-bit using IsWow64Process, then:
- 64-bit targets: resolves
SendMessageWviaGetModuleHandleA+GetProcAddress, injects x64 fastcall shellcode - 32-bit targets: enumerates modules via
CreateToolhelp32Snapshot, parses the 32-bituser32.dllPE export table to findSendMessageW, injects x86 stdcall shellcode
Requires Go 1.21+ and a Windows environment.
go build -ldflags "-H windowsgui" -o passwordviewer.exeThe -H windowsgui flag suppresses the console window.
| File | Description |
|---|---|
main.go |
Entry point, window procedure, message loop |
window.go |
Window class registration, main window and child controls |
crosshair.go |
Crosshair drag state machine, highlight drawing |
extractor.go |
Password extraction orchestration, multiple approaches |
remotereader.go |
Shellcode injection engine, 32/64-bit support, PE export parsing |
winapi.go |
Win32 constants, DLL proc declarations, struct types |
- Windows 10/11 (x64)
- Go 1.21+
golang.org/x/sys/windows
This tool is intended for recovering your own forgotten passwords from running applications. Use responsibly and only on systems you own or have explicit authorization to test.
一个使用纯 Go 编写的 Windows 星号密码查看器。可以揭示 Windows 应用程序密码输入框中隐藏在星号/圆点后面的密码(如 Xshell、mstsc 等)。
采用十字准星拖拽式 UI 模式(类似 Spy++/BulletsPassView):将十字准星图标拖拽到任意密码输入框即可显示其内容。
- 十字准星拖拽 — 将十字准星拖到任意密码框即可揭示密码
- 支持 32 位和 64 位进程 — 自动检测目标进程架构并注入相应的 shellcode
- 多种提取方式 — shellcode 注入(主要方式)、EM_GETLINE、样式移除、密码字符重置
- 纯 Go 实现 — 无 CGo,无 GUI 框架,通过
golang.org/x/sys/windows直接调用 Win32 API - UI 不阻塞 — 通过 goroutine + PostMessage 实现异步提取
- 按住窗口中的十字准星图标
- 将其拖动到其他应用程序的任意密码输入框上
- 松开鼠标 — 密码即被揭示
对于受密码保护的编辑控件,工具会向目标进程注入一段小型 shellcode,从目标进程内部调用 SendMessageW(hwnd, WM_GETTEXT, ...),绕过 Windows XP SP2 引入的跨进程密码保护机制。
工具使用 IsWow64Process 检测目标进程是 32 位(WoW64)还是 64 位,然后:
- 64 位目标:通过
GetModuleHandleA+GetProcAddress解析SendMessageW地址,注入 x64 fastcall 调用约定的 shellcode - 32 位目标:通过
CreateToolhelp32Snapshot枚举模块,解析 32 位user32.dll的 PE 导出表找到SendMessageW地址,注入 x86 stdcall 调用约定的 shellcode
需要 Go 1.21+ 和 Windows 环境。
go build -ldflags "-H windowsgui" -o passwordviewer.exe-H windowsgui 参数用于隐藏控制台窗口。
| 文件 | 说明 |
|---|---|
main.go |
入口、窗口过程、消息循环 |
window.go |
窗口类注册、主窗口和子控件创建 |
crosshair.go |
十字准星拖拽状态机、高亮绘制 |
extractor.go |
密码提取编排、多种提取方式 |
remotereader.go |
Shellcode 注入引擎、32/64 位支持、PE 导出表解析 |
winapi.go |
Win32 常量、DLL 过程声明、结构体类型 |
- Windows 10/11 (x64)
- Go 1.21+
golang.org/x/sys/windows
本工具仅用于恢复您自己在运行中的应用程序中遗忘的密码。请负责任地使用,仅在您拥有或获得明确授权的系统上使用。